Aaron Parecki

alianora https://cybre.space/@nightpool • May 2
@aaronpk sure, but a malicious browser could also save the entire js state to disk in exactly the same way (and some do a limited version of this for caching purposes). so it's hard for me to think of that as a security benefit? this is only more secure if everyone along the line behaves exactly in the way you expect it to

Security is never about stopping 100% of attacks, since that's impossible. It's about mitigating risk, and reducing the attack surface.

It's worth reading this whole document even if it is a bit terse. Here's a good example of an unexpected attack on the Implicit flow: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-4.1

Sunnyvale, California • 49°F

2 replies

Thu, May 2, 2019 3:30pm -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Think of it from the PoV of the thing sending the access token. It wants to make sure the AT ends up in the client and isn't stolen along the way. It can't trust the browser's address bar because the browser isn't the thing it's sending the token to, the code in the browser is.

Mountain View, California • 49°F

Thu, May 2, 2019 10:13am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk but the browser is also the one executing the code that's verifying whether the browser transferred the data correctly? maybe a concrete attack would help me get my head around this better

Here's one: The access token is sent in the address bar, so it becomes part of the browser history. This will be written to disk, and possibly even synced to the browser's "cloud" and then even synced down to other devices.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 10:07am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk sorry I guess I should have specified "with https". doesn't https' security model encompass this one?

Nope because the browser is still an unknown there, at least from the point of view of the sender of the sensitive data.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 9:03am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

Think of it this way: The server is trying to send some sensitive data to the application, but has no direct communication channel, and instead has to trust some other piece of software (the browser) to deliver it.

Mountain View, California • 49°F

1 reply

Thu, May 2, 2019 8:40am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

An easy example to see is captive wifi portals where the network intercepts DNS requests and returns a different answer.

Mountain View, California • 49°F

Thu, May 2, 2019 8:33am -07:00
alianora https://cybre.space/@nightpool • May 2
@aaronpk This is a good post! But I'm having trouble trying to understand the attack that the authorization flow is protecting against. How can a token be stolen "in transit back to the application"?

That's the classic problem with the front-channel (sending data over HTTP redirects in a browser). The sender has no way to know if the receiver got the data, and has no way to tell if it was stolen or copied.

Mountain View, California • 49°F

Thu, May 2, 2019 8:31am -07:00
Randall Degges https://twitter.com/rdegges • May 2
Just in case you were wondering, there is, in fact, a blockchain magazine for Australians.

ohno

Mountain View, California • 49°F

Wed, May 1, 2019 7:38pm -07:00
Nico Kaiser https://twitter.com/nicokaiser • May 1
From what I understand, the Auth Code flow (even with PKCE) needs some kind of backend in the app (i.e., no static HTML-only cross-domain SPA), or am I missing something?

If you read the post I talk about exactly that issue and provide sample code for doing auth code + PKCE entirely in JavaScript

Mountain View, California, USA • 49°F

1 reply

Wed, May 1, 2019 9:58am -07:00
Justin Richer https://twitter.com/justin__richer • Apr 28
I've been working on a protocol idea recently, and I've written up some thoughts with strawman examples at https://oauth.xyz/

It's far from final or complete, but if you're coming to #iiw, come talk to me about it.

What's your preferred channel for getting feedback on this? Email? Blog posts? Issues on the site's GitHub repo?

Also if you're planning on running a session about this at #IIW please hold it on the 2nd or 3rd day since I have to miss the first day!

Portland, Oregon, USA

2 likes 1 reply

Mon, Apr 29, 2019 4:05pm -07:00 #iiw
Justin Richer https://twitter.com/justin__richer • Apr 29
California, I am in you! #iiw

see you soon!

Portland, Oregon • 49°F

Sun, Apr 28, 2019 10:43pm -07:00
Apr 26
About Luminary’s $100 million: many of us are working 7 days a week on a tiny budget to build something we think is important, and Luminary and the like will light VC checks on fire to burn the podcast industry down around them if it means the chance to monetize an open platform.

👏 well said 👏

Portland, Oregon • 49°F

Fri, Apr 26, 2019 10:39pm -07:00
Darius Kazemi https://friend.camp/@darius • Apr 24
whew, just added 3 more posts in an attempt to catch up on my 365 RFCs project
https://write.as/365-rfcs/rfc-77
https://write.as/365-rfcs/rfc-78
https://write.as/365-rfcs/rfc-79
I am currently... 35 days behind. Oof.

This is such a cool project though.

If I learned anything from writing a song every day for 100 days in a row it's that doing *anything* every day is a serious challenge, much less something that takes creative effort or critical thinking!

Portland, Oregon • 49°F

1 like

Thu, Apr 25, 2019 9:09am -07:00
Jonathan LaCour https://cleverdevil.io/profile/cleverdevil • Apr 24
In other news, I picked up an Anker PowerPort Atom PD1 charger last week and I am blown away. Its absolutely tiny, charges my iPhone extremely quickly, and can even charge my 13" MacBook Pro. Highly recommended - https://amzn.to/2DyF3GX

My new favorite charger is the Innergie 60C, it's the size of an iPhone charger but about twice the height and provides 60W! I remember looking at that one but was skeptical that 30W would be enough for the 13" Pro. https://amzn.to/2GJWUf9

Portland, Oregon • 49°F

Wed, Apr 24, 2019 3:57pm -07:00
Jonathan LaCour https://cleverdevil.io/profile/cleverdevil • Apr 24
Really would love a copy of Logic Pro X for podcast production/editing, but I just can't justify the cost. Its a shame that GarageBand doesn't have a real podcast workflow. Perhaps Ferrite will end up on macOS soon to fill the gap...

What is Garage Band missing? I've used it for podcast editing before. Logic Pro is pretty much just a grown-up version of Garage Band, they are very similar though!

Portland, Oregon • 49°F

1 reply

Wed, Apr 24, 2019 11:53am -07:00
Evan Prodromou https://twitter.com/evanpro • Apr 22
Anyway, I think there may be an upper limit on hiring for a project, where there are tasks that just can't be decomposed. But I think there are plenty of projects where hiring more people makes things go faster.

Yeah I think there's some point where hiring more does make the team more productive (from 1 to 2 people for example), but much beyond that I think there are diminishing returns. Hiring people with skills other than development is a whole different story tho.

Portland, Oregon, USA • 49°F

2 likes 1 reply

Mon, Apr 22, 2019 4:05pm -07:00
Christopher Lemmer Webber https://octodon.social/@cwebber • Apr 20
Jetblue is rolling out a procedure where they identify customers not by their boarding pass or passport, but by facial recognition provided by the Department of Homeland Security https://twitter.com/mackenzief/status/1118509708673998848 http://mediaroom.jetblue.com/investor-relations/press-releases/2018/11-15-2018-184045420
Makes me feel sick to my stomach. I should stop flying places.

British Airlines did this on my last flight from the UK. I don't quite understand how I was already in that database.

Portland, Oregon • 49°F

1 like

Sun, Apr 21, 2019 11:00pm -07:00
Alexander Martin https://fosstodon.org/@alexbuzzbee • Apr 19
@aaronpk > that feeling when when
I regret to inform you that you appear to be showing symptoms of RAS Syndrome.

leave me and my ATM machine alone

San Francisco, California • 49°F

1 reply

Fri, Apr 19, 2019 2:14pm -07:00
MrGibber https://micro.blog/MrGibber • Apr 19
@aaronpk read the summary, probably not for me. However, hats off for clearly starting the audience. Many authors, businesses, schools, etc. would be much better off doing so. I'm basically the opposite of the audience, except I haven't put up the picket fence yet.

yeah I get that. fwiw most of the advice is applicable to literally everyone though, so you never know!

San Francisco, California • 49°F

1 reply

Fri, Apr 19, 2019 1:47pm -07:00
MrGibber https://micro.blog/MrGibber • Apr 18
@aaronpk how was the book?

It's great! Also, a little bird told me there aren't very many copies left so you should buy one now if you're interested before they run out!

Chicago, Illinois • 49°F

2 replies

Thu, Apr 18, 2019 5:33pm -05:00

older